Profile Applicability:

  • Level 1

Description:

Amazon RDS supports several database engines such as MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Aurora. Each of these database engines has specific version requirements and support lifecycles. Using an unsupported or deprecated engine version can expose the RDS instance to security vulnerabilities, lack of feature updates, and performance issues.

This SOP ensures that RDS instances are using a supported database engine version to maintain security, performance, and compatibility with the latest features and patches.

Rationale:

  • Security: Unsupported versions may not receive critical security patches, making the database vulnerable to attacks.

  • Performance: Newer versions often come with performance improvements, bug fixes, and new features that can enhance the database’s efficiency.

  • Compliance: Many compliance standards, such as PCI-DSS and SOC 2, require that systems be kept up-to-date with supported versions to ensure the highest level of security and operational effectiveness.

  • Future-Proofing: Using supported versions ensures that the system can take advantage of new features and is aligned with AWS best practices.

Impact:

Pros:

  • Improved Security: Using supported versions ensures that the database instance receives regular security patches and bug fixes.

  • Better Performance: Newer versions typically come with performance improvements, bug fixes, and optimizations.

  • Compliance: Meets regulatory requirements for maintaining supported software versions and ensuring up-to-date security practices.

  • Access to New Features: Using supported versions allows the use of the latest features, optimizations, and enhancements provided by the database engine.

Cons:

  • Compatibility Issues: Upgrading to a newer version may cause compatibility issues with existing applications or features that depend on older versions.

  • Migration Overhead: Updating to a supported version may require planning, testing, and potentially downtime during the migration process.

Default Value:

By default, RDS instances may be created with older versions of database engines. AWS does not automatically upgrade to newer versions unless explicitly configured to do so.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

  • AWS CLI installed and configured.

  • RDS engine version information from AWS documentation for the selected engine.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the DB instance you want to check.

  4. In the Configuration tab, check the Engine Version setting.

    • Ensure that the version displayed is a supported version for the selected database engine.

  5. To check if the version is supported, you can refer to the official AWS RDS engine support page for the specific database engine (e.g., MySQL, PostgreSQL, etc.).

Using AWS CLI:

  1. To check the engine version of an RDS instance, run the following command:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, EngineVersion:EngineVersion}'

  2. Review the output to ensure that the EngineVersion is a supported version for the specific database engine (e.g., MySQL, PostgreSQL, MariaDB, etc.).

  3. To check if the current version is supported, consult AWS documentation or the AWS Management Console for available versions.

  4. If the engine version is outdated or unsupported, you can modify the RDS instance to upgrade to a supported version

    aws rds modify-db-instance --db-instance-identifier <instance-id> --engine-version <new-version> --apply-immediately

  5. Verify that the engine version is updated:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, EngineVersion:EngineVersion}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the RDS instance for which you want to check or update the engine version.

  3. Click Modify.

  4. Under Database Options, review the Engine Version setting and verify that it is up-to-date and supported.

  5. If the version is outdated, select the latest supported version for your engine.

  6. Click Continue and then Apply Changes to update the instance to the selected engine version.

Using AWS CLI:

  1. To modify the engine version, run:

    aws rds modify-db-instance --db-instance-identifier <instance-id> --engine-version <new-version> --apply-immediately

  2. Verify the change:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier, EngineVersion:EngineVersion}'

Backout Plan:

Using AWS Console:

  1. If updating the engine version causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB instance, and click Modify.

  3. Revert the engine version to the previous version, if needed.

  4. Save the changes and allow the instance to reboot.

Using AWS CLI:

  1. To revert the engine version, run the following command:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --engine-version <OLD_VERSION> --apply-immediately

  2. Verify that the engine version has been reverted:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.